1. Security - Cisco Firewall TRAINING

2. Course Flow
Day 1
Day 2
Day 3
Nội Dung Mục Tiêu Lịch Học: Trong 5 ngày Sáng từ 9h-11h30 Chiều từ 14h-16h30
Lesson 2:
Getting Started with Cisco Security Appliances (continue)
Lesson :3
Managing the Security Appliance
Lession 4:
Access Control Lists
Lesson 1:
Cisco Security Appliances Overview
Lesson 2:
Getting Started with Cisco Security Appliances
Lesson 5:
Cisco Adaptive Security Device Manager
Lesson 6: Firewall Switch Modules (FWSM) AM
8h30-11h30
Theory
Lession 1: Console connection setting
Lession 2: Execute general command
Lession 3: Configure Security Appliance Interfaces
Lession 4: Configure NAT, and Routing
Lession 5: Test the Inside, Outside, and DMZ Interface Connectivity
Lession 6 :Configure ACLs on the Security Appliance
Lession 7: Managing the Security Appliance PM
14h-17h
Hand-on Lab

3. Introduction Trainer Introduction Name: Position : Experiences:
Trainee Introduction
Name
Security Network knowledges and experiences…

4. Lession 1 Cisco Security Appliances Overview

5. What Is a Firewall?
DMZ
Network
Internet
Outside
Network
Inside
Network
A firewall is a system or group of systems that manages access between two or more networks.

6. Firewall Technologies
Firewall operations are based on one of three technologies:
Packet filtering
Proxy server
Stateful packet filtering

7. Packet Filtering
DMZ:
Server B
Inside:
Server C
Host A
Data A B
Internet
Data A C
AB-Yes
AC-No
Limits information that is allowed into a network based on the destination and source address

8. Requests connections on behalf of a client
Proxy Server
Proxy
Server
Internet
Outside
Network
Inside
Network
Requests connections on behalf of a client

9. Stateful Packet Filtering
DMZ:
Server B
Inside:
Server C
Host A
Data HTTP A B
Internet
State Table
Limits information that is allowed into a network based not only on the destination and source addresses, but also on the packets state table content
Source address
Destination address
Source port
1026
1026
Destination port 80 80
Initial sequence no.
49769
49091
Ack
Flag
Syn
Syn

10. Security Appliances: What Are They?
Cisco security appliances deliver enterprise-class security for small-to-medium-sized business and enterprise networks in a modular, purpose-built appliance. Some features of Cisco security appliances are:
Proprietary operating system
Stateful packet inspection
User-based authentication
Protocol and application inspection
Modular policy framework
Virtual private networking
Security contexts (virtual firewalls)
Stateful failover capabilities
Transparent firewalls
Web-based management solutions

11. Proprietary Operating System
Eliminates the risks associated with general-purpose operating systems

12. Stateful Packet Inspection
The stateful packet inspection algorithm provides stateful connection security.
It tracks source and destination ports and addresses, TCP sequence numbers, and additional TCP flags.
It randomizes the initial TCP sequence number of each new connection.
By default, the stateful packet inspection algorithm allows connections originating from hosts on inside (higher security level) interfaces.
By default, the stateful packet inspection algorithm drops connection attempts originating from hosts on outside (lower security level) interfaces.
The stateful packet inspection algorithm supports authentication, authorization, and accounting.

13. Application-Aware Inspection
FTP
Server
Client
Data
Port 20
Control
Port 21
Control
Port
2008
Data
Port
2010
Data - Port 2010
Port 2010 OK
Data
Protocols such as FTP, HTTP, H.323, and SQL*Net need to negotiate connections to dynamically assigned source or destination ports through the firewall.
The security appliance inspects packets above the network layer.
The security appliance securely opens and closes negotiated ports for legitimate client-server connections through the firewall.

14. Modular Policy Class Map Policy Map Service Policy Internet
System Engineer
Internet
Headquarters T1 SE
exec
Executives
Internet
S2S
S2S
Site C
Site B
Class Map
Traffic Flow
Default
Internet
Systems Engineer
Executives
Site to Site
Policy Map
Services
Inspect
IPS
Police
Priority
Service Policy
Interface/Global
Global
Outside

15. Virtual Private Network
B A N K
B A N K
Site to Site
Internet
IPsec VPN
SSL VPN
Headquarters
Remote Access

16. Security Context (Virtual Firewall)
One Physical Firewall
Four Virtual Firewalls
Four Physical Firewalls
Internet
Internet
Ability to create multiple security contexts (virtual firewalls) within a single security appliance

17. Failover Capabilities: Active/Standby, Active/Active, and Stateful Failover
Failover: Active/Standby
Failover: Active/Active
Contexts 1 2 1 2
Primary:
Failed Firewall
Secondary:
Active Firewall
Primary:
Failed/Standby
Secondary:
Active/Active
Internet
Internet
Failover protects the network if the primary security appliance goes offline..
Active/standby: Only one unit can be actively processing traffic; the other is hot standby.
Active/Active: Both units can process traffic and serve as backup units.
Stateful failover maintains the operating state during failover.

18. Transparent Firewall
Internet
Has the ability to deploy a security appliance in a secure bridging mode
Provides rich Layers 2 through 7 security services as a Layer 2 device

19. Web-Based Management Solutions
Adaptive
Security
Device
Manager

20. Models and Features of Cisco Security Appliances

21. ASA 5500 Series Price Functionality Gigabit Ethernet SOHO ROBO SMB
Enterprise SP
Functionality
SP = service provider

22. PIX 500 Series Price Functionality Gigabit Ethernet SOHO ROBO SMB
PIX 515E
Price
PIX 506E
PIX 501
Gigabit Ethernet
SOHO
ROBO
SMB
Enterprise SP
Functionality

23. Cisco ASA 5510 Adaptive Security Appliance
Delivers advanced security and networking services, including high-performance VPN services, for small and medium-sized businesses and enterprise branch offices
Provides up to 130,000 concurrent connections
Provides up to 300-Mbps firewall throughput
Provides interface support
Up to 5 10/100 Fast Ethernet interfaces
Up to 25 VLANs
Up to 5 contexts
Supports failover
Active/standby
Supports VPNs
Site to site (250 peers)
Remote access
WebVPN
Supports optional SSMs (Cisco ASA AIP SSM, Cisco ASA CSC SSM, and four-port Gigabit Ethernet SSM)

24. Cisco ASA 5520 Adaptive Security Appliance
Delivers advanced security services, including high-performance VPN services, for medium-sized enterprise networks
Provides up to 280,000 concurrent connections
Provides up to 450-Mbps firewall throughput
Provides Interface support
4 10/100/1000 Gigabit Ethernet interfaces
1 10/100 Fast Ethernet interface
Up to 100 VLANs
Up to 20 contexts
Supports failover
Active/standby
Active/active
Supports VPNs
Site to site (750 peers)
Remote access
WebVPN
Supports optional SSMs (Cisco ASA AIP SSM, Cisco ASA CSC SSM, and four-port Gigabit Ethernet SSM)

25. Cisco ASA 5540 Adaptive Security Appliance
Delivers high-performance, high-density security services, including high-performance VPN services, for medium-sized and large enterprise networks and service provider networks
Provides up to 400,000 concurrent connections
Provides up to 650-Mbps firewall throughput
Provides Interface support
4 10/100/1000 Gigabit Ethernet interfaces
1 10/100 Fast Ethernet interface
Up to 200 VLANs
Up to 50 contexts
Supports failover
Active/standby
Active/active
Supports VPNs
Site to site (5,000 peers)
Remote access
WebVPN
Supports optional SSMs (Cisco ASA AIP SSM, Cisco ASA CSC SSM, and four-port Gigabit Ethernet SSM)

26. ASA 5510, 5520, and 5540 Adaptive Security Appliances Front Panel
Status
Flash
Power
Active
VPN

27. ASA 5510, 5520, and 5540 Adaptive Security Appliances Back Panel
CompactFlash
Fixed interfaces
Security services
module

28. ASA 5510, 5520, and 5540 Adaptive Security Appliances Connectors
CompactFlash
10/100 out-of-band
management port
Console
port
Power supply
(AC or DC)
Four 10/100/1000
Gigabit Ethernet ports*
AUX ports
Two USB 2.0 ports
*ASA 5510 Adaptive Security Appliance supports 10/100 Fast Ethernet ports.

29. Cisco ASA Security Services Module
High-performance module designed to provide additional security services
Diskless (Flash-based) design for improved reliability
Gigabit Ethernet port for out-of-band management

30. SSM Models SSM-10 2.0-GHz processor 1.0 GB RAM SSM-20
Speed
Link and activity
Power
Status

31. Four-Port Gigabit Ethernet SSM
RJ-45 link
LED
SFP link
LED
SFP
speed
LED
RJ-45
speed
LED
Status
LED
SFP
ports
RJ-45
ports
Power
LED

32. Summary
A firewall is a system or group of systems that manages access between two or more networks.
Statefull firewall is a device works most effectively
Cisco Security Appliance including Cisco PIX and ASA.
Security devices ASA 5510, 5520 targeting the small and medium enterprises.
The function of security devices can be expanded by the SSMs

33. Getting Started with Cisco Security Appliances
Lession 2
Getting Started with Cisco Security Appliances

34. User Interface

35. Security Appliance Access Modes
A Cisco security appliance has four main administrative access modes:
Unprivileged
Privileged
Configuration
Monitor
ciscoasa>
ciscoasa#
ciscoasa(config)#
monitor>

36. Access Privileged Mode
Internet
ciscoasa>
enable [priv_level]
Used to control access to the privileged mode
Enables you to enter other access modes
ciscoasa> enable
password:
ciscoasa#

37. Access Configuration Mode: configure terminal Command
ciscoasa#
configure terminal
Used to start configuration mode to enter configuration commands from a terminal
ciscoasa#
exit
Used to exit from an access mode
ciscoasa> enable
password:
ciscoasa# configure terminal
ciscoasa(config)# exit
ciscoasa# exit
ciscoasa>

38. help Command ciscoasa > help ? enable Turn on privileged commands
exit Exit the current command mode
login Log in as a particular user
logout Exit from current user profile to unprivileged mode
perfmon Change or view performance monitoring options
ping Test connectivity from specified interface to an IP address
quit Exit the current command mode
ciscoasa > help enable
USAGE:
enable [<priv_level>]

39. File Management

40. Viewing and Saving Your Configuration
The following commands enable you to view your configuration:
Show running-config
Show startup-config
The following commands enable you to save your configuration:
copy run start
write memory
To save configuration changes:
copy run start
startup-
config
(saved)
running-
config
Configuration
Changes

41. Clearing Running Configuration
Clear the running configuration:
clear config all
startup-
config
running-
config
(default)
ciscoasa(config)#
clear configure all
Clears the running configuration
ciscoasa(config)# clear config all

42. Clearing Startup Configuration
Clear the startup configuration:
write erase
startup-
config
(default)
running-
config
ciscoasa#
write erase
Clears the startup configuration
ciscoasa# write erase

43. Reload the Configuration: reload Command
ciscoasa#
reload [at hh:mm [month day | day month]] [cancel] [in [hh:]mm] [max-hold-time [hh:]mm] [noconfirm] [quick] [reason text] [save-config]
Reboots the security appliance and reloads the configuration
Allows scheduled reboots
ciscoasa# reload
Proceed with reload?[confirm] y
Rebooting...

44. File System Release 7.0 Software image Configuration file Private data
and later
Software image
Configuration file
Private data
ASDM image
Backup image*
Backup configuration file*

45. Displaying Stored Files: System and Configuration
Internet
ASA
disk0:
disk1:
PIX Security Appliance
flash:
ciscoasa#
dir [/all] [/recursive] [all-filesystems] [disk0: | disk1: | flash: | system:]
Display the directory contents
ciscoasa# dir
Directory of disk0:/
rw :37:33 Jul asa721-k8.bin
rw :21:13 Jul asdm-521.bin
bytes total ( bytes free)

46. Security Level Example
DMZ Network
GigabitEthernet0/2
Security level 50
Interface name = DMZ
g0/2
Internet
g0/0
g0/1
Outside Network
GigabitEthernet0/0
Security level 0
Interface name = outside
Inside Network
GigabitEthernet0/1
Security level 100
Interface name = inside

47. Examining Security Appliance Status

48. show Commands show run interface show interface
asa1# show run interface
. . .
interface GigabitEthernet0/0
speed 1000
duplex full
nameif outside
security-level 0
ip address !
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address
show run interface
asa1# show interface
Interface GigabitEthernet0/0 "outside", is up, line protocol is up
Detected: Speed 1000 Mbps, Full-duplex
Requested: Auto
MAC address 000b.fcf8.c538, MTU 1500
IP address , subnet mask
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 packets output, 0 bytes, 0 underruns
input queue (curr/max blocks): hardware (0/0) software (0/0)
output queue (curr/max blocks): hardware (0/0) software (0/0)
Received 0 VLAN untagged packets, 0 bytes
Transmitted 0 VLAN untagged packets, 0 bytes
Dropped 0 VLAN untagged packets
show interface

49. show memory Command show memory asa1# show memory
ciscoasa#
show memory
asa1# show memory
Free memory: bytes (87%)
Used memory: bytes (13%)
Total memory: bytes (100%)

50. show cpu usage Command show cpu usage asa1# show cpu usage
Internet
ciscoasa#
show cpu usage
asa1# show cpu usage
CPU utilization for 5 seconds = 0%; 1 minute: 0%; 5 minutes: 0%

51. show version Command asa1# show version
Cisco Adaptive Security Appliance Software Version 7.2(1)
Device Manager Version 5.2(1)
Compiled on Wed 31-May-06 14:45 by root
System image file is "disk0:/asa721-k8.bin"
Config file at boot was "startup-config"
ciscoasa up 2 mins 51 secs
Hardware: ASA5520, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz
Internal ATA Compact Flash, 64MB
BIOS Flash 0xffe00000, 1024KB
. . .

52. show ip address Command .1
Internet .2 .1 .1
asa1# show ip address
System IP Addresses:
Interface Name IP address Subnet mask Method
GigabitEthernet0/0 outside CONFIG
GigabitEthernet0/1 inside CONFIG
GigabitEthernet0/2 dmz CONFIG
Current IP Addresses:
GigabitEthernet0/ outside CONFIG
GigabitEthernet0/ inside CONFIG
GigabitEthernet0/ dmz CONFIG

53. show interface Command
asa1# show interface
Interface GigabitEthernet0/0 "outside", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps
Full-Duplex(Full-duplex), 100 Mbps(100 Mbps)
MAC address 0013.c482.2e4c, MTU 1500
IP address , subnet mask
8 packets input, 1078 bytes, 0 no buffer
Received 8 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions
0 late collisions, 0 deferred
input queue (curr/max blocks): hardware (8/0) software (0/0)
output queue (curr/max blocks): hardware (0/0) software (0/0)
Traffic Statistics for "outside":
8 packets input, 934 bytes
0 packets output, 0 bytes
8 packets dropped
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec

54. show nameif Command g0/2 g0/1 g0/0 GigabitEthernet0/2
Interface name = dmz
Security level = 50
Internet
g0/2
g0/0
g0/1
GigabitEthernet0/0
Interface name = outside
Security level = 0
GigabitEthernet0/1
Interface name = inside
Security level = 100
asa1# show nameif
Interface Name Security
GigabitEthernet0/ outside
GigabitEthernet0/ inside
GigabitEthernet0/ dmz

55. show run nat Command show run nat asa1# show run nat
Internet
X.X.X.X X
NAT
ciscoasa#
show run nat
Displays a single host or range of hosts to be translated
asa1# show run nat
nat (inside)

56. show run global Command
Internet X
Mapped Pool
ciscoasa#
show run global
Displays the pool of mapped addresses
asa1# show run global
global (outside) netmask

57. show xlate Command show xlate asa1# show xlate 1 in use, 1 most used
Internet
Outside
mapped pool
Inside
local
Xlate Table
ciscoasa#
show xlate
Displays the contents of the translation slots
asa1# show xlate
1 in use, 1 most used
Global Local

58. show route Command
g0/2
Internet .1
g0/0
g0/1
ciscoasa#
show route [interface_name [ip_address [netmask [static]]]]
Displays the contents of the routing table
asa1(config)# show route
S [1/0] via , outside
C is directly connected, inside
C* is directly connected, cplane
C is directly connected, dmz
C is directly connected, outside

59. ping Command Internet 10.0.1.11 10.0.1.4 ciscoasa#
ping [if_name] host [data pattern] [repeat count] [size bytes] [timeout seconds] [validate]
Determines whether other devices are visible from the security appliance
asa1# ping
Sending 5, 100-byte ICMP Echos to , timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/12/20 ms

60. traceroute Command Internet example.com ciscoasa#
traceroute {destination_ip | hostname} [source source_ip | source-interface] [numeric] [timeout timeout_value] [probe probe_num] [ttl min_ttl max_ttl] [port port_value] [use-icmp]
Determines the route packets will take to their destination
asa1#traceroute

61. Basic Security Appliance Configuration

62. Basic CLI Commands for Security Appliances
hostname
interface
nameif
ip address
security-level
speed
duplex
no shutdown
nat-control
nat
global
route
g0/2
Internet
g0/0
g0/1

63. Assigning a Hostname to Security Appliance: Changing the CLI Prompt
New York ( asa1)
Server
Boston
(asa2)
Internet
Server
Dallas
(asa3)
Server
ciscoasa(config)#
hostname newname
Changes the hostname in the security appliance CLI prompt
ciscoasa(config)# hostname asa1 asa1(config)#

64. interface Command and Subcommands
GigabitEthernet0/2
Internet
g0/2
g0/0
g0/1
GigabitEthernet0/0
GigabitEthernet0/1
ciscoasa(config)#
interface {physical_interface[.subinterface] | mapped_name}
Enters configuration mode for the interface you specify
asa1(config)# interface GigabitEthernet0/0
asa1(config-if)#

65. Assign an Interface Name: nameif Subcommand
GigabitEthernet0/2
Interface name = dmz
Internet
g0/2
g0/1
g0/0
GigabitEthernet0/0
Interface name = outside
GigabitEthernet0/1
Interface name = inside
ciscoasa(config-if)#
nameif if_name
Assigns a name to an interface on the security appliance.
asa1(config)# interface GigabitEthernet0/0
asa1(config-if)# nameif outside

66. Assign Interface IP Address: ip address Subcommand
Internet
g0/2
g0/1
g0/0
GigabitEthernet0/0
Interface name = outside
IP address =
ciscoasa(config-if)#
ip address ip_address [mask] [standby ip_address]
Assigns an IP address to each interface
asa1(config)# interface GigabitEthernet0/0
asa1(config-if)# nameif outside
asa1(config-if)# ip address

67. DHCP-Assigned Address
Internet
g0/0
GigabitEthernet0/0
Interface name = outside
IP address = dhcp
ciscoasa(config-if)#
ip address dhcp [setroute]
Enables the DHCP client feature on the outside interface
asa1(config)# interface GigabitEthernet0/0
asa1(config-if)# nameif outside
asa1(config-if)# ip address dhcp

68. Assign a Security Level: security-level Subcommands
Internet
g0/0
g0/1
GigabitEthernet0/0
Interface name = outside
IP address =
Security level = 0
ciscoasa(config-if)#
security-level number
Assigns a security level to the interface
asa1(config)# interface GigabitEthernet0/0
asa1(config-if)# nameif outside
asa1(config-if)# ip address
asa1(config-if)# security-level 0

69. Interfaces with Same Security Level: same-security-traffic Command
DMZ Network
GigabitEthernet0/2
Security level 100
Interface name = dmz
g0/2
Internet
g0/0
g0/1
Inside Network
GigabitEthernet0/1
Security level 100
Interface name = inside
ciscoasa(config)#
same-security-traffic permit {inter-interface | intra-interface}
Enables communication between interfaces with the same security level or allows traffic to enter and exit the same interface
asa1(config)# same-security-traffic permit inter-interface

70. Assign an Interface Speed and Duplex: speed and duplex SubCommands
GigabitEthernet0/0
Speed =1000
Duplex = full
g0/2
Internet
g0/0
g0/1
ciscoasa(config-if)#
speed {10 | 100 | 1000 | auto | nonegotiate}
duplex {auto | full | half}
Enable the interface speed and duplex
asa1(config)# interface GigabitEthernet0/0
asa1(config-if)# nameif outside
asa1(config-if)# ip address
asa1(config-if)# security-level 0
asa1(config-if)# speed 1000
asa1(config-if)# duplex full

71. ASA Management Interface
Management only = no
g0/2
Internet
m0/0
g0/0
g0/1
ciscoasa(config-if)#
management-only
Configures an interface to accept management traffic only
no management-only
Disables management-only mode
asa1(config)# interface management0/0
asa1(config-if)# no management-only
Disables management-only mode (for ASA 5520, 5540 and 5550)

72. Enabling and Disabling Interfaces: shutdown Subcommand
Internet
g0/0
g0/1
GigabitEthernet0/0
Enabled
ciscoasa(config-if)#
shutdown
Disables an interface
no shutdown = enabled
asa1(config)# interface GigabitEthernet0/0
asa1(config-if)# no shutdown
Disables management-only mode (for ASA 5520, 5540 and 5550)

73. Network Address Translation
NAT
Internet
Outside
Mapped Pool
Inside
Local
Translation Table

74. Enable NAT Control asa1(config)# nat-control NAT
Internet
Outside
Mapped Pool
Inside
Local
Translation Table
Enable or disable NAT configuration requirement
asa1(config)# nat-control

75. nat Command nat (if_name) nat_id address [netmask] [dns]
Internet
X.X.X.X
NAT
ciscoasa(config)#
nat (if_name) nat_id address [netmask] [dns]
Enables IP address translation
asa1(config)# nat (inside)

76. global Command
Internet
NAT
ciscoasa(config)#
global(if_name) nat_id {mapped_ip[-mapped_ip] [netmask mapped_mask]} | interface
Works with the nat command to assign a registered or public IP address to an internal host when accessing the outside network through the firewall, for example,
asa1(config)# nat (inside)
asa1(config)# global (outside)

77. Configure a Static Route: route Command
Default Route
Static Route
Internet
ciscoasa(config)#
route if_name ip_address netmask gateway_ip [metric]
Defines a static or default route for an interface
asa1(config)# route outside
asa1(config)# route inside

78. Host Name-to-IP-Address Mapping: name Command
“bastionhost” .2 .1
Internet
“insidehost” .1
.11
ciscoasa(config)#
name ip_address name
Configures a list of name-to-IP-address mappings on the security appliance
asa1(config)# names
asa1(config)# name bastionhost
asa1(config)# name insidehost

79. Configuration Example .1
Internet .2 .1 .1
GigabitEthernet0/0
Interface name = outside
Security level = 0
IP address =
GigabitEthernet0/1
Interface name = inside
Security level = 100
IP address =
asa1(config)# write terminal
. . .
interface GigabitEthernet0/0
speed 1000
duplex full
nameif outside
security-level 0
ip address
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address

80. Configuration Example (Cont.)
GigabitEthernet0/2
Interface name = dmz
Security level = 50
IP address =
“bastionhost”
“insidehost”
Internet .1 .2 .1 .1
interface GigabitEthernet0/2
nameif dmz
security-level 50
speed 1000
duplex full
ip address
passwd 2KFQnbNIdI.2KYOU encrypted
hostname asa1
names
name bastionhost
name insidehost

81. Configuration Example (Cont.)
“bastionhost”
Default Route .2
“insidehost”
Static Route
Internet .1 .1 .2 .1
.102 .1
Mapped Pool
nat-control
nat (inside)
global (outside)
route outside
route inside

82. Summary
Cisco security appliances have four main administrative access modes: unprivileged, privileged, configuration, and monitor.
There are two configuration memories in the Cisco security appliances: running configuration and startup configuration.
The show running-config command displays the current configuration in the security appliance RAM on the terminal.
You can use the copy run start or the write memory command to save the current running configuration to flash memory, startup configuration.
Interfaces with a higher security level can access interfaces with a lower security level, but interfaces with a lower security level cannot access interfaces with a higher security level unless given permission.
The security appliance show commands help you manage the security appliance.
The basic commands that are necessary to configure Cisco security appliances are the following: interface, nat, global, and route.
The nat and global commands work together to translate IP addresses.

83. Managing the Security Appliance
Lession 3
Managing the Security Appliance

84. Managing System Access

85. Configuring Telnet Access to the Security Appliance Console
Internet
Telnet
ciscoasa(config)#
telnet {{hostname | IP_address mask interface_name} | {IPv6_address interface_name} | {timeout number}}
Enables you to specify which hosts can access the security appliance console with Telnet and set the maximum time a console Telnet session can be idle before being logged off by the security appliance
ciscoasa(config)#
passwd password [encrypted]
Sets the password for Telnet access to set the security appliance
asa1(config)# telnet inside
asa1(config)# telnet timeout 15 
asa1(config)# passwd telnetpass

86. Viewing and Disabling Telnet
ciscoasa#
show running-config telnet [timeout]
Displays IP addresses permitted to access the security appliance via Telnet
ciscoasa(config)#
clear configure telnet
Removes the Telnet connection and the idle timeout from the configuration
ciscoasa#
who [local_ip]
Enables you to view which IP addresses are currently accessing the security appliance console via Telnet
ciscoasa#
kill telnet_id
Terminates a Telnet session

87. SSH Connections to the Security Appliance
Provide secure remote access
Provide strong authentication and encryption
Require RSA key pairs for the security appliance
Require 3DES/AES or DES activation keys
Allow up to five SSH clients to simultaneously access the security appliance console
Use the Telnet password for local authentication

88. Configuring SSH Access to the Security Appliance Console
ciscoasa(config)#
ciscoasa(config)#
crypto key zeroize {rsa | dsa} [label key-pair-label] [default] [noconfirm]
crypto key generate rsa [usage-keys | general-keys] [label key-pair-label] [modulus size] [noconfirm]
Removes any previously generated RSA keys
Generates an RSA key pair
ciscoasa(config)#
ciscoasa(config)#
write memory
ssh {ip_address mask | ipv6_address/prefix} interface
Saves the CA state
Specifies the host or network authorized to initiate an SSH connection
ciscoasa(config)#
ciscoasa(config)#
domain-name name
ssh timeout number
Specifies how long a session can be idle before being disconnected
Configures the domain name

89. Connecting to the Security Appliance with an SSH Client
username: pix
password: telnetpassword
SSH
Internet
asa1(config)# crypto key zeroize rsa
asa1(config)# write memory
asa1(config)# domain-name cisco.com
asa1(config)# crypto key generate rsa modulus 1024
asa1(config)# ssh outside
asa1(config)# ssh timeout 30

90. Managing Software, Licenses, and Configurations

91. Viewing Directory Contents
dir
Internet
ciscoasa#
dir [/all] [/recursive] [all-filesystems | [disk0: | disk1: | flash: | system:] path]
Displays the directory contents
asa1# dir
Directory of disk0:/
4346 -rw :01:10 Oct asa721-k8.bin
6349 -rw :30:39 Oct asdm521.bin
7705 -rw :03:57 Oct old_running.cfg
bytes total ( bytes free)
You can use the pwd command to display the current working directory.

92. Copying Files
copy
Internet
ciscoasa#
copy [/noconfirm | /pcap] {url | running-config | startup-config} {running-config | startup-config | url}
Copies a file from one location to another
asa1# copy disk0:MYCONTEXT.cfg startup-config
Copies the file MYCONTEXT.cfg from disk0 to the startup configuration

93. Downloading and Backing Up Configuration Files Example
Internet
config
FTP server
ciscoasa#
copy ftp: startup-config
Copies the configuration file from an FTP server
ciscoasa#
copy running-config ftp:
Copies the configuration file to an FTP server

94. Image Upgrade

95. Viewing Version Information
Internet
ciscoasa#
show version
Displays the software version, hardware configuration, license key, and related uptime data
asa1# show version
Cisco Adaptive Security Appliance Software Version 7.2(1)
Device Manager Version 5.2(1)
Compiled on Wed 31-May-06 14:45 by root
System image file is “disk0:/asa721-k8.bin”
Config file at boot was “startup-config”
asa1 up 17 hours 40 mins . . .

96. Image Upgrade copy tftp://server[/path]/filename flash:/filename
Internet
TFTP
ciscoasa#
copy tftp://server[/path]/filename flash:/filename
Enables you to change software images without accessing the TFTP monitor mode.
asa1# copy tftp:// /asa721-k8.bin flash
The TFTP server at IP address receives the command and determines the actual file location from its root directory information. The server then downloads the TFTP image to the security appliance.

97. Summary
SSH provides secure remote management of the security appliance.
TFTP is used to upgrade the software image on security appliances.
You can enable Telnet to the security appliance on all interfaces. .

98. Access Control Lists (ACLs)
Lesson 4
Access Control Lists (ACLs)

99. Security Appliance ACL Configuration
Outside
Inside
Internet
ACL for
Inbound Access
ACL for
Outbound Access
No ACL
- Outbound permitted by default
- Inbound denied by default
Security appliance configuration philosophy is interface-based.
Interface ACL permits and denies the initial incoming and outgoing packets on that interface.
An ACL must describe only the initial packet of the application; return traffic does not need to be described.
If no ACL is attached to an interface:
The outbound packet is permitted by default.
The inbound packet is denied by default.

100. Inbound Traffic to DMZ Web Server
Public Web
Server
Inbound X
Inside
Internet .1 .2
Outside
There is no ACL, so by default, inbound access is denied. To permit inbound traffic, complete the following steps:
Configure a static translation for the web server address
Configure an inbound ACL
Apply the ACL to the outside interface

101. Create a Static Translation for Web Server
DMZ
Public Web
Server
Inside
Internet .1 .2
Outside
asa1(config)# static (DMZ,outside)
Maps an inside private address to an outside public address

102. access-list Command DMZ Permit Inbound HTTP Inside Internet Outside
Public Web Server
Inside
Internet .1 .2
Outside
ciscoasa(config)#
access-list id [line line-number] [extended] {deny | permit} {protocol | object-group protocol_obj_grp_id}{host sip | sip smask | interface ifc_name | object-group network_obj_grp_id | any} [operator port [port] | object-group service_obj_grp_id] {host dip | dip dmask | interface ifc_name | object-group network_obj_grp_id | any} [operator port [port] | object-group service_obj_grp_id | object-group icmp_type_obj_group_id] [log [[level] [interval secs] | disable | default]] [inactive | time-range time_range_name]
asa1(config)# access-list ACLOUT permit tcp any host eq www
Permits outside HTTP traffic to access the public web server

103. access-group Command
Apply ACL
to interface
DMZ
Public Web
Server
Inside
Internet .1 .2
Outside
ciscoasa(config)#
access-group access-list {in | out} interface interface_name [per-user-override]
Applies an ACL to an interface
asa1(config)# access-group ACLOUT in interface outside

104. show access-list Command
ICMPDMZ
ACLOUT
ACLIN
Internet
asa1(config)# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list ACLOUT; 4 elements
access-list ACLOUT line 1 extended permit tcp host eq www (hitcnt=4)0x984ebd70
access-list ACLOUT line 2 extended permit tcp host host eq ftp (hitcnt=1) 0x53490ecd
access-list ACLOUT line 3 extended permit tcp any host eq www (hitcnt=8) 0x83af39ca
access-list ACLOUT line 4 extended deny ip any any (hitcnt=4) 0x2ca30385
access-list ICMPDMZ; 1 elements
access-list ICMPDMZ line 1 extended permit icmp host bastionhost any echo-reply

105. clear access-list counters Command
Web Server
ACLIN
Internet
ACLOUT
asa1(config)# clear access-list ACLOUT counters
asa1(config)# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list ACLOUT; 4 elements
access-list ACLOUT line 1 extended permit tcp host eq www (hitcnt=0) 0x984ebd70
access-list ACLOUT line 2 extended permit tcp host host eq ftp (hitcnt=0) 0x53490ecd
access-list ACLOUT line 3 extended permit tcp any host eq www (hitcnt=0) 0x83af39ca
access-list ACLOUT line 4 extended deny ip any any (hitcnt=0) 0x2ca30385

106. ACL Logging Syslog ACL Syslog Server Messages Internet
ciscoasa(config)#
access-list id [line line-number] [extended] {deny | permit} {protocol | object-group protocol_obj_grp_id}{host sip | sip smask | interface ifc_name | object-group network_obj_grp_id | any} [operator port [port] | object-group service_obj_grp_id] {host dip | dip dmask | interface ifc_name | object-group network_obj_grp_id | any} [operator port [port] | object-group service_obj_grp_id | object-group icmp_type_obj_group_id] [log [[level] [interval secs] | disable | default]] [inactive | time-range time_range_name]
asa1(config)# access-list OUTSIDE-ACL permit icmp any host log 7 interval 600
Enables the logging option for inbound ICMP to

107. ACL Comments former line 2
ciscoasa(config)#
access-list id [line line-number] remark text
Inserts ACL comment
asa1(config)# access-list ACLOUT line 2 remark WebMailA access-list
asa1(config)# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096) alert-interval 300
access-list ACLOUT; 6 elements
access-list ACLOUT line 1 extended permit tcp any host eq www (hitcnt=0) 0x3df6ed1e
access-list ACLOUT line 2 remark WebMailA access-list
access-list ACLOUT line 3 extended permit tcp any host eq www (hitcnt=0) 0xd5383eba
access-list ACLOUT line 4 extended permit tcp any host eq www (hitcnt=0)0x2c4288ad
access-list ACLOUT line 5 extended permit tcp any host eq www (hitcnt=0) 0xb70c935b
access-list ACLOUT line 6 extended permit tcp any host eq www (hitcnt=0) 0x8b43382e
former line 2

108. Inbound HTTP Access Solution
DMZ
Public Web
Server
Inbound
Inside
Internet .1 .2
Outside
asa1(config)# static (DMZ,outside)
asa1(config)# access-list ACLOUT permit tcp any host eq www
asa1(config)# access-group ACLOUT in interface outside
Permits outside HTTP traffic to access the public web server

109. icmp Command Internet X
Outside
Inside
Internet
ICMP Echo
ICMP Unreachable X
ciscoasa(config)#
icmp {permit | deny} {host sip | sip smask | any} [icmp-type] if_name
Enables or disables pinging to an interface
asa1(config)# icmp permit any echo-reply outside
asa1(config)# icmp permit any unreachable outside
Permits all unreachable messages at the outside interface and denies all ping requests at the outside interface

110. Summary
ACLs enable you to determine which systems can establish connections through your security appliance.
With ICMP ACLs, you can disable pinging to a security appliance interface so that your security appliance cannot be detected on your network. .

111. Cisco Adaptive Security Device Manager
Lession 5
Cisco Adaptive Security Device Manager

112. ASDM Overview and Operating Requirements

113. What Is ASDM?
Internet
SSL Secure Tunnel
ASDM is a browser-based configuration tool designed to help configure and monitor your security appliance.

114. ASDM Features Runs on a variety of platforms
Implemented in Java to provide robust, real-time monitoring
Works with SSL to ensure secure communication with the PIX security appliance
Comes preloaded in flash memory on new Cisco ASA and Cisco PIX security appliances running Versions 7.2 and later
ASDM sessions
5 ASDM sessions per unit (single mode) or context (multiple mode)
32 sessions per unit in multiple mode
Operates on PIX 515E, 525, and 535* Security Appliances
Operates on Cisco ASA 5505, 5510, 5520, 5540, and 5550 Security Appliances
* ASDM Version 5.2 is not supported on the PIX 501 or 506 Security Appliance.

115. ASDM Security Appliance Requirements
A security appliance must meet the following requirements to run ASDM:
Activation key that enables DES or 3DES
Supported Java plug-in
Security appliance software version compatible with the ASDM software version you plan to use*
Hardware model compatible with the ASDM software version you plan to use
* ASDM Version 5.2 requires Security Appliance Software Version 7.2.

116. ASDM Browser Requirements
To access ASDM from a browser, the following requirements must be met:
JavaScript and Java must be enabled on the computer where the browser resides.
SSL must be enabled in the browser.
Popup blockers may prevent ASDM from starting.

117. Supported Platforms
Windows
Sun Solaris
Linux

118. Running ASDM Run ASDM as a: Local application Java applet
Launch Startup Wizard

119. Configure the Security Appliance to Use ASDM
Before you can use ASDM, you need to enter the following information on the security appliance via a console terminal:
Time
Inside IP address
Inside network mask
Host name
Domain name
Enable the HTTP server on the security appliance
IP addresses of hosts authorized to access HTTP server
If more than one ASDM image is stored in the flash memory of your security appliance, also specify the ASDM image to be used.

120. Setup Dialog
Pre-configure Firewall now through interactive prompts [yes]? <Enter>
Firewall Mode [Routed]:
Enable Password [<use current password>]: cisco123
Allow password recovery [yes] ?
Clock (UTC)
Year [2006]: <Enter>
Month [Sep]: <Enter>
Day [2]: <Enter>
Time [10:21:49]: <Enter>
Inside IP address:
Inside network mask:
Host name: asa1
Domain name: ciscoasa.com
IP address of host running Device Manager:
Use this configuration and write to flash? Y

121. Navigating ASDM Configuration Windows

122. ASDM Home Window Main toolbar Device Information General License
VPN Status
System
Resources
Interface
Status
Traffic
Menu bar
Syslog
Messages

123. ASDM Home Window (Cont.)
License tab

124. Startup Wizard Startup Wizard Interfaces NAT and PAT Hostname
Domain name
Enable password

125. VPN Wizard Note: Use Configuration > VPN to edit VPN connections.
Site-to-Site
Remote Access
Note: Use Configuration > VPN to edit VPN connections.

126. High Availability and Scalability Wizard
Active/Active Failover
Active/Standby Failover
VPN Cluster Load Balancing

127. Configuration Window Configuration Interface Security Policy NAT VPN
IPS or
CSD Manager
Routing
Global Objects
Properties

128. Interfaces
IP address
Static
DHCP
Same security level

129. Security Policy Access Rules AAA Rules Filter Rules
Service Policy Rules

130. NAT Translation Rules NAT Policy NAT NAT exemption Maximum connections
Embryonic connections
NAT0

131. VPN
Edit VPN
General
IKE
IPsec
IP Address Management
Load Balancing
NAC
WebVPN
Proxy
Note: Use the Remote Access or Site-to-Site VPN Wizard for new VPN connections.

132. Routing Static Routes Dynamic Routing OSPF RIP Multicast IGMP MRoute
PIM
Proxy ARPs

133. Global Objects Network Object Groups IP Names Service Groups
Class Maps
Inspect Maps
Regular Expressions
TCP Maps
Time Ranges

134. Monitoring Button Interfaces VPN IPS or Trend Micro Content Security
Routing
Properties
Logging

135. Interface Graphs Panel
The Interface Graphs panel enables you to monitor per-interface statistics, such as bit rates, for each enabled interface on the security appliance.

136. Packet Tracer Interface Source IP Destination IP Source port
Destination port
Flow lookup
Route lookup
Access list

137. Options > Preferences

138. Tools Tools Command Line Interface Packet Tracer Ping Traceroute
File Management
Ugrade Software
Upload ASDM Assistant Guide
System Reload
ASDM Java Console

139. Help Help Help Topics Help for Current Screen Release Notes
Getting Started
VPN 3000 Migration Guide
Glossary ….

140. Online Help

141. Summary
ASDM is a browser-based tool used to configure your security appliance.
Minimal setup on the security appliance is required to run ASDM.
ASDM contains several tools in addition to the GUI to help you configure your security appliance.
The following ASDM wizards are available to simplify security appliance configuration:
Startup Wizard: Walks you step by step through the initial configuration of the security appliance
VPN Wizard: Walks you step by step through the creation of site-to-site and remote access VPNs
High Availability and Scalability Wizard: Walks you step by step through the configuration of active/active failover, active/standby failover, and VPN cluster load balancing

142. Firewall Switch Modules (FWSM)
Lession 6
Firewall Switch Modules (FWSM)

143. Overview
The Cisco Firewall Services Module (FWSM) is based on Cisco PIX Security Appliance technology, and therefore offers the same security and reliability
The FWSM is a line card for the Cisco Catalyst
6500 family of switches and the Cisco 7600 Series Internet routers.
<#>

144. FWSM Key Features
• Brings switching and firewalls into a single chassis • Based on PIX Firewall technology • Supports transparent or routed firewall mode • Up to 100 security contexts – Up to 256 VLANs per context – Up to 1000 VLANs all contexts • 5-Gbps throughput • One million concurrent connections • 100,000 connections per second • Multiple blades supported in one chassis (4 maximum) • Dynamic routing via RIP v1 and v2 and OSPF • High availability via intra- or inter-chassis stateful failover
<#>

145. FWSM and PIX Firewall Feature Comparison
<#>

146. Network Model
<#>

147. MSFC placement
<#>

148. Getting Started with the FWSM
Before you can begin configuring the FWSM, complete the following tasks: • Verify FWSM installation. • Configure the switch VLANs. • Configure the FWSM VLANs.
<#>

149. Verify FWSM Installation
<#>

150. Configure the Switch VLANs
Create Vlan
Defines a controlled VLAN on the MSFC. Assigns an IP address.
<#>

151. Firewall VLAN-Group Creates a firewall group of controlled VLANs
Attaches the VLAN and firewall group to the slot where the FWSM is located

152. Configure the FWSM Interfaces
Establishes a console session with the module
Processor should always be 1
<#>

153. Configure a Default Route
• Static routes are required in multiple context mode.

154. Configure the FWSM Access-List
FWSM1(config)# access-list 200 permit ip any
FWSM1(config)# access-group 200 in interface inside
By default all traffic is denied through the FWSM.
• Traffic permitted into an interface can exit through any other interface

155. Resetting and Rebooting the FWSM
Resets and reboots the FWSM

156. Summary The FWSM is a line card for the Cisco Catalyst
6500 family of switches and the Cisco 7600 Series Internet routers.
The FWSM is a high-performance firewall solution based on PIX Firewall Security Appliance technology.
The FWSM supports transparent and routed firewall modes.
The FWSM commands are almost identical to security appliance commands.
PDM can be used to configure and monitor
the FWSM.